Malicious files (Windows)

Module: File Watch

Supported Platforms: Windows 2000, Windows 2003, Windows 2008, Windows Vista, Windows XP

This check reports files with signatures that match attack signatures that are defined in Malicious File Watch templates. Use the name list to enable or disable Malicious File Watch templates that are identified by .mfw file extensions.

The following table lists the error messages for the check.

Table: Error messages for Malicious files

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: ESMM_MALICIOUS_FILE

Category: Policy Compliance

  • Windows 2000 (45935)

  • Windows 2003 (215335)

  • Windows 2008 (215835)

  • Windows Vista (215535)

  • Windows XP (49135)

Title: Possible malicious file found

Description:The file signature matches the malicious file signature pattern that is reported in the Information field. Investigate the file to determine if it is malicious. Compare it with a known good copy if possible. If the file is found to be malicious, remove it from the system and follow the procedures specified by your company's security policy.

Severity: yellow-2

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [Name: %s; probability: %s%%; description: %s]

String ID: ESMM_MFW_TEMPLATE_ERR

Category: Policy Compliance

  • Windows 2000 (45936)

  • Windows 2003 (215336)

  • Windows 2008 (215836)

  • Windows Vista (215536)

  • Windows XP (49136)

Title: MFW template error

Description:The Malicious File Watch template file contains the error that is reported in the Information field. Correct the error manually, then rerun the check.

Severity: yellow-1

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: ESMM_MFW_ACCESS_BLOCKED

Category: Policy Compliance

  • Windows 2000 (45937)

  • Windows 2003 (215337)

  • Windows 2008 (215837)

  • Windows Vista (215537)

  • Windows XP (49137)

Title: File access blocked

Description:The file could not be examined by the Malicious files check. Access may be blocked by some application running on the system. (eg. anti-virus application etc.)

Severity: green-0

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: ESMM_MALICIOUS_RUN_PROCESS

Category: Policy Compliance

  • Windows 2000 (45938)

  • Windows 2003 (215338)

  • Windows 2008 (215838)

  • Windows Vista (215538)

  • Windows XP (49138)

Title: Possible malicious run process found

Description:The run program matches a signature pattern of the malicious process that is specified in the Information field. Take appropriate action immediately.

Severity: yellow-2

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [Name: %s; probability: %s%%; description: %s]

String ID: ESMM_NO_TEMPLATE

Category: Policy Compliance

  • Windows 2000 (45943)

  • Windows 2003 (215343)

  • Windows 2008 (215843)

  • Windows Vista (215543)

  • Windows XP (49143)

Title: No template specified

Description:No template was enabled, so the listed check or option could not be executed. Enable a template with the appropriate file extension and rerun the module.

Severity: red-4

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]